Guillaume Delugré , the security researcher at French security firm Sogeti ESEC has demonstrated how it might be possible to place backdoor rootkit software on a network card.

This proof-of-concept code has been developed after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards.

He used publicly available documentation and free open-source tools to built a set of tools to instrument the network card firmware. Those tools provided him a way to debug in real-time the MIPS CPU of the network card, as well as doing some advanced instrumentation on the firmware code such as execution flow tracing and memory-accesses logging.

Further, he developed a custom firmware code and flash the device and get execution on the CPU of the network card by reverse engineering of its EEPROM.

The developed rootkit will be residing inside the network card and offers some interesting features:

A very stealthy communication end-point over the Ethernet link. It can intercept and forge network frames without the operating system knowing about it.

A physical system memory access using DMA over the PCI link, leading to OS corruption.

No trace of the rootkit on the operating system, as it is being hidden inside the NIC.

“The network card natively needs to perform DMA accesses, so that network frames can be exchanged between the driver and the device.From the firmware point of view, everything is operated using special dedicated device registers, some of them being non-documented. An attacker would then be able to communicate remotely with the rootkit in the network card and get access to the underlying operating system thanks to DMA,” Delugré explains.

This research has been presented in Hack.lu conference last month. The presentation slides are avaliable to donwload here.